Many of you will now be working from home or remotely due to the coronavirus pandemic.
At Xynics we have been working remotely when required for many years and have lots of tips based on our expertise on how to work safely, securely and compliantly.
1. Follow your organisation’s policies, procedures and guidance.
- Your organisation will have adapted their approach to ensure that data is adequately protected. Avoid the temptation to do things in a way you think is more convenient, such as sending emails through your personal account or using the video conferencing app that you use with friends for work calls.
- Many data protection policies are dependent on a computer being connected to the company network or the internet. While working remotely, however, employees may not always have a continuous internet connection available. This means that, for the duration that their computer is offline, data protection policies are no longer active, risking both data loss and noncompliance with data protection legislation.
- One way of ensuring data protection policies remain in place even when employees work remotely is to apply them on the endpoint, meaning that data protection software is installed directly on the devices rather than at network level. In this way, policies will stay active no matter where the devices are located
2 .Only use approved technology for handling personal data.
- If your organisation has provided you with technology such as hardware or software you should use it. This will provide the best protection for personal data.
- Regardless of where you are working you should always follow best practice, and of course make sure that you are remaining compliant. Be mindful that the laws may change or that timeframes may differ as we all adapt to working through this pandemic.
- You may be tempted to start using new software to facilitate your work. Such as video conferencing tools, messaging applications, and document sharing services. It’s essential for companies to choose these solutions before employees take matters into their own hands and start using unauthorised software that is not up to business standards and compliance requirements.
3. Consider confidentiality when holding conversations or using a screen.
- You may be sharing your home working space with other family members or friends. Try to hold conversations, where they are less likely to overhear you and position your screen where it is less likely to be overseen. If you sit near a window, others walking past may see your screen and therefore your data, make sure you still lock your screen when you walk away and position away from a window to protect from others eyes.
- Position screens and papers so that they cannot be read by others. In data protection terms family members are just third parties to whom information must not be disclosed.
- This instinct to overlook data protection as negligible in case of extreme circumstances goes against one of the fundamental principles of the new wave of data protection legislation spearheaded by the EU’s General Data Protection Regulation (GDPR): data protection by design and by default. It means that data protection is no longer an afterthought that companies can choose to incorporate in their strategies depending on a given situation but needs to be one of the foundations of business operations.
4. Take care with print outs and securely disposing of your data
- At the office, it is likely you can use confidential waste bins. At home you won’t have that facility. Follow your organisation’s guidance or safely store print outs until you can take them into the office and dispose of them securely.
- Data Protection law requires that old data that serves no defined useful purpose is disposed of and not kept longer than necessary. A key part of the control of data, this helps protect your business in the event of a breach of security, availability or confidentiality of data by minimising the volume of information available to be affected.
5. Don’t mix your organisation’s data with your own personal data.
- If you have to work using your own device and software, keep your organisation’s data separate to avoid accidentally keeping hold of data for longer than is necessary. Ideally, your organisation should have provided you with secure technology to work with.
- Avoid storing work information on personal devices unless authorised to do so. If you have to use your own device, then make sure you are saving your work onto the organisation drive and not on your desktop. The last thing you want to end up with is multiple copies of the same document.
- Make sure family and friends understand they cannot use your work devices, data privacy as they can accidentally erase or modify information, or, perhaps even worse, accidentally infect the device.
6. Lock it away where possible.
- To avoid loss or theft of personal data, put print outs and devices away at the end of the working day if possible.
- If printing is enabled, make sure any confidential documents are in secure storage and are shredded if no longer used. Papers that cannot be securely disposed of should be secured until they can be returned to the workplace for secure storage or destruction.
7. Be extra vigilant about opening web links and attachments in emails or other messages.
- Experts from the National Cyber Security Centre have revealed a range of attacks being perpetrated online as cyber criminals seek to exploit COVID-19.
- Techniques seen since the start of the year include bogus emails with links claiming to have important updates, which once clicked on lead to devices being infected.
- Our Advice is not to click on unfamiliar web links or attachments until you are certain that the sender is genuine.
8. Use strong passwords.
- Check your Password Policies and ensure that these are adhered to. Current recommendations from the National Cyber Security Centre are to;
1.Reduce reliance on passwords by implementing Single-Sign-On solutions and/or Password Managers,
2.Use Multi-Factor Authentication where possible (something you physically have in addition to a username and password)
3.Actively monitor authentication attempts and proactively act upon suspicious activity
- Blacklist simple passwords and do not enforce strong password complexity (Uppercase, Lower Case, Numbers and Symbols). Instead use things like ‘three word combo’ passwords, for example “RocketmarsBristol”. If you do not use Single-Sign-On or Password Managers, do enforce different passwords on different systems, using techniques like prefix and suffix a regular password with the first and last letter of the site or system (“gRocketmarsBristole” for Google), or replace the first and last characters “GocketmarsBristoe”).
- Do not use “Adminstrative” privileges on “daily use” accounts. Have dedicated admin accounts and elevate permissions with that user only when needed.
9. Communicate securely.
- Use the communication facilities provided to you by your organisation where available.
- If you have to use email, which isn’t always secure, consider password protecting documents and sharing the passwords via a different channel, like text.
- Where possible use secure sharing sites. Here at Xynics we use Microsoft one drive, these allows us to save our work centrally and securely share areas to other when required.
10. Keep software up to date.
- If you’re using your own equipment, don’t be an easy target for hackers. Keep your security software up to date to make it more difficult for them to get in. If your organisation has provided you with technology to work from home, this should be managed for you.
- Check things like your Windows version, internet router firmware or any externally facing applications or websites that hold or capture personal data or provide access to systems. Windows 7 support has ended, as has Mac OS El Capitan (10.11), so if you use either of these you should upgrade as soon as possible to stay secure. Microsoft SQL Server 2008 and 2008 R2 are both out of support, as is Windows Server 2008 R2 or below. Xynics can help you in determining which software you use is currently supported.